Researchers at Group-IB have discovered a new malware that steals Face ID scans to create deepfakes so that it can gain unauthorized banking access to the victim’s banking account.
According to a new report by Group-IB, this is an “ exceptionally rare occurrence – a new sophisticated mobile Trojan specifically aimed at iOS users.” This trojan dubbed as GoldPickaxe.iOS by Group-IB’s Threat Intelligence unit has been linked to a Chinese-speaking threat actor codenamed GoldFactory, which is responsible for other malware strains such as ‘GoldDigger’, ‘GoldDiggerPlus,’ and ‘GoldKefu.’
The new malware, which is available for Android and iOS, is based on the GoldDigger Android Trojan and is capable of collecting facial recognition data, identity documents, and intercepting SMS.
“It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices,” the researchers said in the report.
“Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.”
Group-IB says its analysts noticed attacks primarily targeted at the Asia-Pacific region, mainly Thailand and Vietnam, impersonating local banks and government organizations.
GoldPickaxe, which was first discovered in October 2023 and is still ongoing, targets both Android and iOS users. It is considered to be a part of a GoldFactory campaign that began in June 2023 with Gold Digger.
In such attacks, the initial contact with potential victims was made by the attackers through phishing or smishing messages on the LINE app, one of the region’s most popular instant messaging services, by imitating government authorities, before sending fake URLs that led to the deployment of GoldPickaxe on the devices.
For example, in the case of Android, criminals mimicked officials from the Thai Ministry of Finance and lured victims into installing a fraudulent application posing as a ‘Digital Pension’ app from websites posing as Google Play Store pages or fake corporate websites in Vietnam, which would supposedly enable the victims to receive their pension digitally.
However, in the case of GoldPickaxe for iOS, the threat actors initially directed victims to Apple’s TestFlight software, which distributes beta software, to install the malicious app. If this technique failed, they would trick them into installing a Mobile Device Management (MDM) profile, which would give them complete control over the victim’s device.
Once the trojan has been activated on the mobile device, the malware is equipped to collect the victim’s ID documents and photos, intercept incoming SMS messages, and proxy traffic through the victim’s infected device. Besides this, the victim is also prompted to record a video as a ‘confirmation method’ in the fake app.
“GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application. The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services,” said security researchers Andrey Polovinkin and Sharmine Low.
Once the biometrics scans were captured, this was then used to create AI deepfakes to impersonate victims and then enable a cybercriminal to bypass facial recognition checks to perform unauthorized access to victims’ accounts.
“We hypothesize that the cybercriminals are using their own devices to log in to bank accounts. The Thai police have confirmed this assumption, stating that cybercriminals are installing banking applications on their own Android devices and using captured face scans to bypass facial recognition checks to perform unauthorized access to victims’ accounts,” Group-IB concluded.
“Threat actors such as GoldFactory have well-defined processes, operational maturity, and demonstrate an increased level of ingenuity. Their ability to simultaneously develop and distribute malware variants tailored to different regions shows a worrying level of sophistication.”
To stay protected from the malware, Group-IB advises bank users to not click on suspicious links, download applications only from official platforms such as the Google Play Store, Apple App Store, and Huawei AppGallery, carefully review the requested permissions when installing a new app, avoid adding unknown contacts to your messenger, verify the validity of bank communications, and act promptly by contacting your bank if you believe you have been defrauded.
